CVE-2009-5008
https://notcve.org/view.php?id=CVE-2009-5008
Cisco Secure Desktop (CSD), when used in conjunction with an AnyConnect SSL VPN server, does not properly perform verification, which allows local users to bypass intended policy restrictions via a modified executable file. Cisco Secure Desktop (CDS), cuando se utiliza junto con un servidor AnyConnect SSL VPN, no realiza debidamente la verificación, lo cual permite a usuarios locales eludir las restricciones de políticas a través de un archivo ejecutable modificado. • http://www.infradead.org/openconnect.html • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2010-0589 – Cisco Secure Desktop CSDWebInstaller ActiveX Control Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2010-0589
The Web Install ActiveX control (CSDWebInstaller) in Cisco Secure Desktop (CSD) before 3.5.841 does not properly verify the signatures of downloaded programs, which allows remote attackers to force the download and execution of arbitrary files via a crafted web page, aka Bug ID CSCta25876. El control ActiveX Web Install ActiveX en Cisco Secure Desktop (CSD) anterior a v3.5.841, no verifica adecuadamente las firmas de los programas descargados, lo que permite a atacantes remotos forzar las descargas y ejecuciones de archivos de su elección a través de una página web manipulada. También conocido con el Bug ID CSCta25876. This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of Cisco Secure Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the Secure Desktop Web Install ActiveX control (705EC6D4-B138-4079-A307-EF13E4889A82). • http://securitytracker.com/id?1023881 http://www.cisco.com/en/US/products/products_security_advisory09186a0080b25d01.shtml http://www.securityfocus.com/bid/39478 http://www.zerodayinitiative.com/advisories/ZDI-10-072 https://exchange.xforce.ibmcloud.com/vulnerabilities/57812 • CWE-20: Improper Input Validation •
CVE-2010-0440 – Cisco Secure Desktop 3.x - 'translation' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-0440
Cross-site scripting (XSS) vulnerability in +CSCOT+/translation in Cisco Secure Desktop 3.4.2048, and other versions before 3.5; as used in Cisco ASA appliance before 8.2(1), 8.1(2.7), and 8.0(5); allows remote attackers to inject arbitrary web script or HTML via a crafted POST parameter, which is not properly handled by an eval statement in binary/mainv.js that writes to start.html. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en +CSCOT+/translation en Cisco Secure Desktop v3.4.2048, y otras versiones anteriores a la v3.5; tal y como lo utiliza el appliance Cisco ASA anteriores a v8.2(1), v8.1(2.7), y v8.0(5); permite a atacantes remotos inyectar secuencias arbitrarias de comandos web o HTML a través de un parámetro POST manipulado, el cual no es correctamente gestionado por una declaración eval en binary/mainv.js que escribe start.html. • https://www.exploit-db.com/exploits/33567 http://secunia.com/advisories/38397 http://tools.cisco.com/security/center/viewAlert.x?alertId=19843 http://www.coresecurity.com/content/cisco-secure-desktop-xss http://www.securityfocus.com/archive/1/509290/100/0/threaded http://www.securityfocus.com/bid/37960 http://www.vupen.com/english/advisories/2010/0273 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2006-5807
https://notcve.org/view.php?id=CVE-2006-5807
Cisco Secure Desktop (CSD) before 3.1.1.45 allows local users to escape out of the secure desktop environment by using certain applications that switch to the default desktop, aka "System Policy Evasion". Cisco Secure Desktop (CSD) en versiones anteriores a la 3.1.1.45 permite a usuarios locales salirse del escritorio seguro mediante el uso de ciertas aplicaciones que permiten el intercambio entre dicho escritorio y el escritorio por defecto, también conocido como "System Policy Evasion". • http://secunia.com/advisories/22747 http://securitytracker.com/id?1017195 http://www.cisco.com/warp/public/707/cisco-sa-20061108-csd.shtml http://www.osvdb.org/30307 http://www.securityfocus.com/bid/20964 http://www.vupen.com/english/advisories/2006/4409 https://exchange.xforce.ibmcloud.com/vulnerabilities/30130 •
CVE-2006-5808
https://notcve.org/view.php?id=CVE-2006-5808
The installation of Cisco Secure Desktop (CSD) before 3.1.1.45 uses insecure default permissions (all users full control) for the CSD directory and its parent directory, which allow local users to gain privileges by replacing CSD executables, aka "Local Privilege Escalation". La instalación del Cisco Secure Desktop (CSD) en versiones anteriores a la 3.1.1.45 utiliza permisos inseguros por defecto (todos los usuarios control total) para el directorio CSD y su directorio padre, que permite a usuarios locales conseguir privilegios mediante la sustitución de ejecutables del CSD, también conocido como "Local Privilege Escalation". • http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=442 http://secunia.com/advisories/22747 http://securitytracker.com/id?1017195 http://www.cisco.com/warp/public/707/cisco-sa-20061108-csd.shtml http://www.osvdb.org/30308 http://www.securityfocus.com/bid/20964 http://www.vupen.com/english/advisories/2006/4409 https://exchange.xforce.ibmcloud.com/vulnerabilities/30128 •